Advice for writing a successful FedRAMP SSP

A FedRAMP SSP (System Security Plan) is the bedrock of a FedRAMP assessment and the primary document of the security package in which a cloud service provider (CSP) details their system architecture, data flows and authorization boundaries, and all security controls and their implementation.

Keep in mind that to prevent conflicts of interest, 3PAO’s are prohibited by regulation from helping a CSP put together a FedRAMP SSP and also conducting that CSP’s FedRAMP assessment.

A FedRAMP SSP is a highly detailed document that must be readable, relevant, consistent, and complete. Even tiny mistakes can cause lengthy delays in the FedRAMP certification process. Here are some tips for writing a successful FedRAMP SSP.

Allocate sufficient time and resources to writing your FedRAMP SSP

Expect your FedRAMP SSP to be several hundred pages long. Putting together an SSP is never an overnight project, and it’s rarely a one-person job. Organizations generally require the input of several subject matter experts with deep technical knowledge of the systems they are documenting, as well as NIST and FedRAMP security controls.

Make sure the FedRAMP SSP is clear, concise, consistent, and complete

Although an SSP is a group project, it shouldn’t “look” like one when it is finished. FedRAMP PMO’s don’t expect System Security Plans to read like Pulitzer Prize-worthy literature, but they do expect that CSP’s to turn in a logically organized document that describes systems and controls clearly and completely, and that is not riddled with spelling and grammar errors. When reviewing an SSP, a FedRAMP PMO looks for the 4 C’s:

• Do not write meandering, convoluted, or overly long descriptions. Avoid the use of passive voice, as it could cause confusion. Do not include text that is not directly relevant to the specific control being described.
• Describe each system and control completely, but use as few words as possible. Make each word count.
• All system names and abbreviations, hardware and software elements, and citations referenced in the SSP should be referenced in exactly the same way throughout the entire document. The presentation style and level of detail should also be consistent throughout.
• Use the correct FedRAMP SSP template, and do not modify or remove sections. However, sections can be added if necessary. Address all required controls. If a control has multiple requirements, you must address all of them. If a control is inherited or does not apply, use a risk-based justification to explain why. You must describe how each control is addressed in your system; you cannot simply copy/paste or rephrase the control requirements.

Identify all people and places relevant to your controls

All people who are responsible for implementing/enforcing a security control must be identified, by role. All roles defined for a control should also be included in the SSP’s Roles and Privileges table.

The SSP must also describe all possible places where a control is implemented; for example:

• Access for both privileged and non-privileged users
• Access control, audit logging, maintenance, flaw remediation, and configuration management for all platforms
• Physical controls at all facilities

Be sure to select the correct Implementation Status for each control

A common SSP error is checking the wrong Implementation Status; for example, a control is marked Planned but does not identify a planned date. FedRAMP offers the following general guidance:

• If all or part of the control is an alternative implementation, check both “Partially Implemented” and “Alternative Implementation.”
• If all or part of the control is planned, check both “Partially Implemented” and “Planned.”
• If selecting a status of Planned, Alternative Implementation, and/or Not Applicable, clearly explain the aspects of the control that are Planned, Alternative, and/or Not Applicable in the implementation description.
• If the control is solely a customer responsibility, and the CSP has no responsibility for the implementation of the control, check “Implemented,” along with the appropriate customer-related control origination.

Use an automation solution such as Continuum GRC’s ITAM

Traditionally, creating a FedRAMP SSP has been an arduous, manual, and chaotic process involving dozens of text documents and spreadsheets. Updating and maintaining it over time was extremely difficult and prone to error, and it wasn’t integrated with any of the technologies 3PAO’s use to carry out FedRAMP assessments.

Now, CSP’s have access to automation solutions, such as the IT Audit Machine (ITAM) FedRAMP SSP module from Continuum GRC. ITAM is a cloud-based solution that uses pre-loaded, drag-and-drop modules to walk CSP’s through the process of preparing their SSP, ensuring completeness and accuracy. CSP’s not only save time and money upfront, while preparing their SSP, but later on, when they are ready to work with their 3PAO.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

FedRAMP Certification Can Help Grow Your Cloud Service Business

The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, DFARS, CJIS, and HIPAA, FedRAMP’s security controls are based on NIST 800-53. If your cloud service business contracts with the U.S. federal government, you are required to comply with FedRAMP. However, with concerns over cloud security deepening in the wake of numerous high-profile cloud breaches, FedRAMP certification may be a worthwhile investment even if your company does not currently contract with the U.S. government.

Benefits of FedRAMP Certification

FedRAMP certification is a long, arduous, and potentially expensive process. Unlike FISMA, which allows organizations to perform their own assessments, FedRAMP certification must be performed by a certified third-party assessment organization (3PAO). However, FedRAMP certification offers many benefits to cloud service providers, including:

• The U.S. government is the single largest buyer of goods and services in the world, and federal agencies are reliable customers that continue to buy even during economic downturns, when private-sector firms cut back. Your company may eventually want to tap this very stable, highly lucrative market.
• The U.S. government is “cloud-first.” To federal agencies, “cloud-first” isn’t just marketing hyperbole; it’s a directive from the White House to “evaluate safe, secure, Cloud Computing options before making any new investments.”
• FedRAMP is “do once, use many times.” Unlike the FISMA standard, which requires organizations to seek an Authority to Operate (ATO) from each individual federal agency they do business with, a FedRAMP ATO qualifies a cloud service provider to do business with any federal agency.
• The FedRAMP certification process will uncover your risks and vulnerabilities and improve your company’s data security. All of your customers will benefit from the security controls you put in place to comply with FedRAMP – and this is a big selling point. Private-sector companies know how arduous the FedRAMP certification process is, and they see it as a gold standard of data security.
• You will be able to better compete in the highly competitive cloud services market. As cloud services companies multiply, and concerns over cloud security grow, FedRAMP certification will help your company stand out in a crowded marketplace.
• Completing the FedRAMP certification process will make other security audits easier. FedRAMP controls are based on NIST 800-53, which is the basis for numerous other standards that your company likely needs to comply with, including HIPAA, DFARS, and CJIS.

Choosing a 3PAO

The FedRAMP compliance process begins with selecting the right 3PAO. In addition to FedRAMP experience, make sure that your 3PAO has expertise in cloud security and has worked with private-sector firms as well as government agencies. It is also critical that your 3PAO be well-versed in FISMA, as FedRAMP maps to the same NIST 800-53 standards that FISMA does.

Also make sure to ask questions about the tools your 3PAO will be using during the certification process; specifically, will the 3PAO be using spreadsheets or modern IRM GRC software? Continuum GRC’s proprietary IT Audit Machine, a revolutionary IRM GRC software package that utilizes pre-loaded, drag-and-drop modules, takes the pain and high costs out of the FedRAMP certification process. Some of our clients have saved up to 1,000% over traditional FedRAMP assessment methods.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Verizon, Trump Hotels, and the RNC are Among the Recent Victims of Third-Party Breaches

Even if your own cyber security is up to snuff, your organization could be at risk of third-party breaches if your business partners are not as diligent as you are. Verizon just learned this lesson the hard way after one of its vendors, telephonic software and data company NICE Systems, left the information of 14 million Verizon customers on a misconfigured Amazon server.

This incident did not happen in a vacuum. Other recent third-party breaches affecting major organizations include:

• The Republican National Committee (RNC), whose data analytics vendor exposed the data of 198 million voters after leaving it on – you guessed it – a misconfigured Amazon server.
• Trump Hotels, which, along with chains such as Hard Rock and Four Seasons, had its customer data exposed after a breach at its reservations vendor, Sabre Corporation.
• A number of Google employees were also impacted by the Sabre breach because Google’s third-party travel management company used Sabre’s systems – meaning this breach happened at the third-party vendor of a third-party vendor.
• Netflix, which had the upcoming season of its hit series Orange Is the New Black dumped online after a hacker breached a third-party post production house, Larson Studios. It has since been discovered that the hackers got into Larson’s systems by taking advantage of the fact that the company was running an antiquated version of Windows.

Third-Party Breaches Common in the Age of Outsourcing

Once a dirty word, outsourcing is a normal part of doing business in the 21^st century. Organizations of all sizes routinely retain the services of third-party business partners to take care of all manner of functions outside their core competencies, from cloud storage to customer billing to payroll services. Unfortunately, because so many business functions are now outsourced, third-party breaches have more common than primary data breaches; an estimated 63% of all enterprise breaches can be traced back to a third-party vendor.

If one of your vendors gets hacked, don’t expect to be able to point fingers and pass the buck. Even if your business partner makes a colossal mistake, your organization will be the one that’s held responsible by your customers, any affected banks, and regulatory bodies. The infamous Target breach, which cost the company nearly $300 million and shook up its C-suite, involved a third-party vendor.

Protecting Your Organization from Third-Party Breaches

As with primary cyber attacks, the best way to deal with third-party breaches is to prevent them from happening in the first place. While you cannot dictate to your business partners how they should run their firms, as their paying customer, your enterprise is not without recourse:

• Understand your enterprise ecosystem so that you can build risk profiles for all of your business partners. Who are your business partners, and what service does each provide? What level of access do they have to your data and systems?
• Understand who your vendors are subcontracting to and whether they will have access to your data. As in Google’s case, a breach at a third-party vendor used by one of your third-party vendors can come back to haunt your organization.
• Include cyber security provisions in your vendor contracts, including security measures your business partners must take regarding their own vendors.
• Give your vendors the minimum level of access to your systems and data that they need, and no more.
• Only do business with IT services vendors who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have undergone rigorous security audits and have proven their commitment to the highest levels of data security.

Further to the above, if your business provides IT services to other businesses, obtaining the appropriate data security certifications is a wise investment that will help you instill trust in your customers. Continuum GRC’s IT Audit Machine (ITAM IT audit software) RegTech solution empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, AT 101, CJIS, DFARS, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP and other federal and state mandates.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!